Privacy incident notification

The incident in this case arose when a server, containing numerous files dating back ten years, including correspondence with legal aid clients and lawyers who had dealt with the Area Office in St. Thomas, was moved on December 21, 2010 to the Provincial Office of Legal Aid Ontario from the Area Office in St. Thomas. An employee was assigned the task of removing the hard drive from the server. This was not done in a timely way and the server could not be located when staff looked for it. Senior management was advised and the decision was made to immediately advise the Information and Privacy Commissioner's office, which was done.

What has been done in response to the breach:

In accordance with our privacy breach policy, LAO has addressed the issues of containment, notification and prevention.

Containment: LAO contacted the building maintenance personnel and determined that there had been no garbage removal of computer equipment. Inquiries were made of IT staff as to whether anyone removed the server. No one has indicated that they did so.

The server was password protected with two passwords. IT staff have calculated that if an individual used a computer program to attempt to find out the password, at the rate of one million attempts per second, the first password might be obtained in 22.9 years and the second password in 1,648 years, based on statistical probability. This is beyond the capability of the normal person and cannot be done manually. Based on these calculations, Legal Aid Ontario is confident that there is an extremely low risk of any third party breaking into the server through the password protection.

Legal Aid Ontario also undertook testing by a third party provider to test the vulnerability of the server in other respects. The third party tester advised Legal Aid Ontario that if an individual has very specialized knowledge, the password safeguards could be circumvented and the information viewed another way. Accordingly, there is a risk of access to the information on the server.

Notification: The IPC was notified as soon as the privacy breach was known. LAO concluded that it is appropriate to post an advisory to clients and lawyers about the loss of the server on the LAO website. This notification is in accordance with that decision.

Individuals who may be affected by this privacy incident:

If at any time you have concerns about the possible misuse of your personal information in relation to this privacy incident you may contact the credit reporting bureaus (either Equifax at 1-800-465-7166 or www.equifax.ca or TransUnion at 1-800-663-9980 or www.tuc.ca) and inquire as to whether it would be appropriate in the circumstances for your credit file to be flagged to indicate that your personal information may have been put at risk and may be vulnerable to fraud. You may also ask for a copy of your credit report and review it for suspicious activity. As well, it is always advisable to monitor and verify all bank accounts, credit card and other financial transaction statements for any suspicious activity.

For individuals who may have provided Legal Aid Ontario with their Social Insurance Number (SIN) Service Canada assists Canadians with their interactions with the Federal Government. It has guidelines on what to do if a SIN is lost or stolen which may be accessed atwww.servicecanada.gc.ca./eng/sin/lost.shtml

You may also wish to review the publication by the Office of the Information and Privacy Commissioner/Ontario (IPC) entitled, Identity Theft: How to Protect Yourself, which may be accessed at www.ipc.on.ca. You may also obtain a copy of this publication by calling the IPC at (416) 326-3333 or toll free 1-800-387-0073.

If you would like to discuss this matter or you have any questions, please call 416-204-4706 or 1-800-661-8258 ext. 4706 and ask for the FIPPA Co-ordinator.

Prevention: LAO has reviewed its policies and now requires that computer equipment which is to be destroyed will have the data on the hard drive deleted remotely in the originating locations before the equipment is shipped. This will minimize the risk of loss of data, if the equipment is lost in transit. The equipment must be delivered to an IT person, with a signature required. That IT person must then place the equipment into the locked secure IT area until the hard drive is removed from the equipment. An education program is being developed and delivered to staff throughout the province to reinforce the importance of privacy and security.

Previous notices

On October 4, 2010, a staff person at Legal Aid Ontario made a mistake in sending out by fax some information that contained client names and certificate numbers. As a result, the names and certificate numbers of some clients were sent to a law office that was not the office of the counsel representing those clients.

Legal Aid Ontario was contacted by the secretary who received the incorrect information and the fax transmission was stopped. All of the incorrectly faxed information was shredded by the secretary in the law office that had received it, and no one else viewed the information.

LAO is posting this message to notify clients of this privacy issue. LAO is committed to protecting client information and we apologize to all affected clients for this improper disclosure of information. LAO is taking steps to review our policies and procedures to limit the possibility of a similar error happening again.

If you are a legal aid client and you want to know if your name and certificate number were included in this disclosure, please contact Melissa Jean-Baptiste at 416-204-4706 or toll free at 1-800-668-8258 ext. 4706.

Legal Aid Ontario has inadvertently displayed a limited amount of personal information of some clients whose cases were concluded with an award of costs in their favour. As a result, a privacy complaint was made to the Information and Privacy Commissioner.

In resolving this complaint, LAO has undertaken to post an advisory so that clients may be aware of the possibility that a limited amount of personal information may have been displayed.

The affected clients are persons whose cases have been concluded with an award of costs in their favour. Those costs have been assigned to LAO. A letter has been sent to the opposing party who owes costs to LAO, using a window envelope. Because of a change in letter format, the following text has been displayed, between January 2007 and June, 2007:

"The court awarded costs on behalf of our client, (name of client)
The Legal Aid Services Act gives Legal Aid the right to collect costs."

Legal Aid Ontario has corrected the problem and no further disclosures of this nature are taking place. LAO takes seriously its privacy obligations and we offer our apology to affected individuals.

For further information you may contact the Freedom of Information Co-ordinator at Legal Aid Ontario by calling 416-979-1446 or 1 800 668-8258.

Contacts

Legal Aid Ontario (LAO), an independent but publicly funded and publicly accountable non-profit corporation. None of this material may be commercially reproduced, but copying for other purposes, with credit, is encouraged.